Image courtesy of Shuttestock
There has been no shortage of disturbing accounts of data breaches and system hacks across many of the world’s organizations. Enterprises are highly interconnected with customers, vendors, and each other in ways not even imaginable a few years ago. Such connectivity is essential to thrive in today’s digital economy; but at the same time, it exposes every piece of organizations to mischief and mayhem—from HR files to production sites to retail outlets. Many well-known companies and organizations have felt the sting of data hacks over the past year.
A recent survey of 353 data managers and professionals, members of the Independent Oracle Users Group, finds that enterprises are well aware of the risks they may encounter and bracing for the next potential onslaught of data security threats. More than one-third say their organizations are vulnerable, and likely to be hit by an incident, up from 20% in a similar survey conducted in 2008.
Predicted Likelihood of a Data Breach During the Next 12 Months
2008...20%
2014....34%
Source: DBA–Security Superhero: 2014 IOUG Enterprise Data Security Survey
While the threat is very real, many continue to engage in lax or counter-productive processes that only keep their doors open to malicious conduct. They recognize that data risks come from within, and continue to increase funding. However, close to half still release production data to outside parties, and more than one-fifth report sensitive data is still vulnerable to breaches.
The IOUG survey, conducted by Unisphere Research, a division of Information Today, Inc., and underwritten by Oracle Corp., finds that data security has evolved to that of a top business challenge which continues to grow, and the villains are taking advantage of lax preventive and detective measures. This survey is the latest in a series conducted since 2008, and finds relatively little progress toward achieving best practices in data security during this time. (DBA—Security Superhero: 2014 IOUG Enterprise Data Security Survey.)
Data managers and professionals recognize that outside hackers are a threat, but the greatest challenges come from within—from human errors in working with systems, from internal breaches by employees in and out of IT, and by lax management practices.
Figure 2: Where the Data Risks Are at This Time
Human error... 81%
Internal hackers or unauthorized users...66%
Abuse of privileges by IT staff...54%
Malicious code/viruses...53%
Unprotected web applications...52%
Outside hackers...49%
Advanced persistent threat...46%
Lack of management commitment/lax procedures...42%
Source: DBA–Security Superhero: 2014 IOUG Enterprise Data Security Survey
With such great dependency on digital commerce and capabilities, organizations need individuals who not only know the right technology fixes to keep the bad guys out of their databases, but can also alert, cajole, and assure the rest of the business about the right protocols and best practices to keep things secure. Senior executives are only too painfully aware of what’s at stake for their businesses, but often don’t know how to approach the challenge. This is an opportunity for database administrators and security professionals to work together, take a leadership role, and move the enterprise to take action. Who else can we look to as stewards of sensitive intellectual property, personally identifiable, and protected health information? Who else has the privileges bestowed upon them to manage and administer this sensitive data? Our heroes, the database administrators have the knowledge and education to secure sensitive data on behalf of organizations and citizens of the known universe.
The handling of sensitive information was a key area explored in the survey. Two-fifths of data managers admit they are not fully aware of where all the sensitive data in their organizations is kept. To take the lead in enterprise data security, industry best practices suggest that following a defense-in-depth strategy is the best approach for securing data. The first step is implementing preventive measures, such as encryption, masking, redacting, and access controls.
To access the full report, titled DBA–Security Superhero: 2014 IOUG Enterprise Data Security Survey, go here.
The survey finds that these measures are still lacking—as they have been since the first survey in this series was conducted in 2008. Those taking proactive measures to lock down data and render it useless to outsiders are still in the minority. Relatively few have safeguards against accidental or intentional staff abuse.
The complexity of today’s data environments, along with management inertia, may be hampering respondents’ abilities to implement full-fledged preventive data protection efforts. About 65% of respondents encrypt data at rest on at least some databases to ensure personally identifiable information is protected—down from 70% in the last survey. An even lower percentage, 18%, ensure that they have blanket coverage for all key databases in their organization—down significantly from 29% from 2008.
In addition, the survey finds organizations are still not doing enough to monitor their data assets or keep tabs on super-users. Only about one-third can prove abuse of data assets. In a world where stolen data can be distributed globally within seconds, two-thirds of managers estimate that it would take a matter of days to remediate a breach, or simply don’t know what length of time would be involved.
Many security proponents see data auditing as a key pillar in a data security strategy, though this often only catches breaches after they have occurred. To make matters worse, data security audits still remain few and far between. Only one-sixth review their data assets at least on a monthly basis.
The latest Unisphere Research-IOUG survey shows that data security is an area of vital interest to enterprises. Yet, many require the proper guidance to achieve greater security. This will be an increasingly important part of the jobs of data managers, as well as their business counterparts.